Intro

Facebook Launched Call to Action (CTA) Units for Instant Articles which allows any Facebook Page to prompt readers to take a specific action. Since it was a new feature I thought to give it a try and I started testing it with different roles on the Page.

Details

After setting up call to action units an admin can either enable it or disable it. As an analyst it was not possible to make any changes to CTA via the UI but the authorization was missing on the API endpoints which allowed an analyst of a Page to make changes to it.
The vulnerable endpoint was /CTA_ID/ and any analyst can disable call to action by making request to this vulnerable endpoint. Since CTA_ID can also be queried by an analyst which makes this bug exploitable.

Proof Of Concept

1. First retrieve CTA_ID by making an API call to :https://graph.facebook.com/v2.9/PAGE_ID/instant_articles_ctas?access_token={YOUR_ACCESS_TOKEN}&fields=id

Response

{"data": [
{"id":"1474389416758418"}

2. Now make an API call to following endpoint :https://graph.facebook.com/v2.9/1474389416758418?access_token={YOUR_ACCESS_TOKEN}&method=post&request_type=UNENROLL

Response

{"success":"true"}

Impact

A Call to Action is introduced to gain more customers through Instant articles. So if an analyst can disable it, this will affect the traffic for an Instant Article.

Timeline

Intro

Hi Guys, This is my first blog post so pardon me for mistakes. I found this bug way back in 2014 when Yahoo’s bug bounty was launched on Hackerone. Yahoo have a huge scope of under their bug bounty program.

Details

I normally started by enumerating sub-domains and found Yahoo’s Taiwan services. There were multiple sub-domains each having different services. One of them was tw.user.bid.yahoo.com. I went to profile section on that sub-domain and while saving some changes a new page loads with confirmation of changes made. I noticed a parameter .done in URL bar which has value equals to homepage of that sub-domain. The page has a finished button which takes to the homepage after saving changes

I tried to get an open URL redirect by providing an arbitrary domain but it didn’t worked. After that I replaced the value with javascript:alert("XSS") and when pressed the button finished the popup appeared. I immediately reported it to yahoo team and they patched the bug.

Impact

Interestingly to get the XSS work there was no need to make any changes to the profile section but simply opening the confirmation page with injected payload in the parameter did the job. So, this bug can be used to steal session cookie. And then the sub-domain contains some sensitive info credit card details which was used to make bids on different products.